RE: Sendmail ignores hosts.allow
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Maxim Khitrov Sent: Monday, May 21, 2007 6:14 PM To: freebsd-questions@freebsd.org Subject: Re: Sendmail ignores hosts.allow however, I had a feeling that it was jail-related. But what about the hosts.allow problem? I can run a firewall, of course, but hosts.allow seems like a more efficient way of doing the same thing. I've already got it configured and working with sshd, so I see no reason why sendmail doesn't want to work the same way. You said earlier that your sendmail was compiled with tcp wrapper support. How exactly did you go about doing this and installing it? In any case, since your not going to be using sendmail much, if your that paranoid I would suggest you simply disable it and run it out of inetd. Then use the usual tcpd method (in the man page) to run inetd. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Maxim Khitrov wrote: Do you know if there is a reason they chose to do it this way? Accept the connection, but don't allow the client to do anything with it? If sendmail just dropped the connection, then the sending MTA would retry the message, potentially every 15 minutes for up to 5 days. The way sendmail does it, the sending MTA gets a 5xx permanent error message straight away, meaning it tries once and then fails. Of course, that assumes the MTAs involved are doing something like following the appropriate RFCs, which most of the spambots fail to do. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGU9xj8Mjk52CukIwRCCUDAKCO6YUZ8TdFAQe7EVB7UcY7uzPYGwCfZL2u J6hLJvLN0DQnRJV9Z26Qdto= =IG3h -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I suspect sendmail is reading /etc/hosts.allow # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. #ALL : ALL : allow Did you comment out the above line? Steve Here's the entire file as it is right now: # Deny sendmail to all clients (temporary) sendmail : all : deny # Allow anything from localhost all : local ip : allow # Process SSH deny rules sshd : /etc/hosts.evil : deny # Allow everything else all : all : allow Once I can get sendmail to block all connection requests, I'll move it below the second rule. That way, only local processes will be able to use it. For now, however, that rule is being ignored completely. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On 5/22/07, doug [EMAIL PROTECTED] wrote: On Tue, 22 May 2007, Maxim Khitrov wrote: On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I suspect sendmail is reading /etc/hosts.allow # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. #ALL : ALL : allow Did you comment out the above line? Steve Here's the entire file as it is right now: # Deny sendmail to all clients (temporary) sendmail : all : deny # Allow anything from localhost all : local ip : allow # Process SSH deny rules sshd : /etc/hosts.evil : deny # Allow everything else all : all : allow Once I can get sendmail to block all connection requests, I'll move it below the second rule. That way, only local processes will be able to use it. For now, however, that rule is being ignored completely. The default configuration gives you what you want so I assume your goal is to see if you can make hosts.allow work within a jail. In general there are performance reasons not to use inetd to control ssh and sendmail. ssh under inetd causes more key generation. Sendmail has its own controls which give you the equivalent (or better) than can be done with inetd. I assume from an earlier post you are trying to make this work inside a jail. If thats true you must also have in the jail rc.conf inetd_flags=-wW -a your-ip-address I assume you have this or you would not have been able to control ssh. All that said, I have only used inetd to control ftp/imap/pop3. It seems to me your specific question is: does this work inside a jail and is any special setup required to make it work with sendmail. Sorry I can not help more. Doug I'm not sure I understand what you mean... I'm not using inetd, and the default configuration doesn't block sendmail from all remote hosts. The ssh server is running all by itself, same as sendmail. The way I understand it is that as long as the server was compiled with tcp wrappers, it should follow the rules in hosts.allow. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On May 22, 2007, at 10:46, Maxim Khitrov wrote: On 5/22/07, doug [EMAIL PROTECTED] wrote: On Tue, 22 May 2007, Maxim Khitrov wrote: On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I suspect sendmail is reading /etc/hosts.allow # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. #ALL : ALL : allow Did you comment out the above line? Steve Here's the entire file as it is right now: # Deny sendmail to all clients (temporary) sendmail : all : deny # Allow anything from localhost all : local ip : allow # Process SSH deny rules sshd : /etc/hosts.evil : deny # Allow everything else all : all : allow Once I can get sendmail to block all connection requests, I'll move it below the second rule. That way, only local processes will be able to use it. For now, however, that rule is being ignored completely. The default configuration gives you what you want so I assume your goal is to see if you can make hosts.allow work within a jail. In general there are performance reasons not to use inetd to control ssh and sendmail. ssh under inetd causes more key generation. Sendmail has its own controls which give you the equivalent (or better) than can be done with inetd. I assume from an earlier post you are trying to make this work inside a jail. If thats true you must also have in the jail rc.conf inetd_flags=-wW -a your-ip-address I assume you have this or you would not have been able to control ssh. All that said, I have only used inetd to control ftp/imap/pop3. It seems to me your specific question is: does this work inside a jail and is any special setup required to make it work with sendmail. Sorry I can not help more. Doug I'm not sure I understand what you mean... I'm not using inetd, and the default configuration doesn't block sendmail from all remote hosts. The ssh server is running all by itself, same as sendmail. The way I understand it is that as long as the server was compiled with tcp wrappers, it should follow the rules in hosts.allow. tcp wrappers must be coded into the application. The call which actually checks the access permissions in the hosts.allow file is hosts_access() (see man hosts_access). Checking through the sendmail source for version 8.13.8, there are no calls to hosts_access in the source code. You will need to patch sendmail to make it do what you want. There might be patches at www.sendmail.org for that, but I doubt it. openssh's sshd.c is probably a good template to use. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
Doug Hardie wrote: On May 22, 2007, at 10:46, Maxim Khitrov wrote: # Deny sendmail to all clients (temporary) sendmail : all : deny tcp wrappers must be coded into the application. The call which actually checks the access permissions in the hosts.allow file is hosts_access() (see man hosts_access). Checking through the sendmail I have to disagree with that. I run unmodified 8.13.8 on 6.2, and it DOES respect hosts.allow. Just not in the way you might assume. I can telnet to port 25, it allows connections from *anywhere*, and will respond to a HELO. It's not until I give it a mail to: that it protests with 550 5.0.0 Access denied. I use FEATURE(delay_checks) in the cf file, which may have some effect on this. The log file shows: May 22 14:56:47 cartman sm-mta[74026]: l4MIullh074026: tcpwrappers (unknown, 192.31.130.140) rejection The actual options version look like: $ sendmail -bp -d0.1 Version 8.13.8 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG $ uname -rms FreeBSD 6.2-RELEASE i386 -RW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
Maxim Khitrov wrote: I'm not sure I understand what you mean... I'm not using inetd, and the default configuration doesn't block sendmail from all remote hosts. The ssh server is running all by itself, same as sendmail. The way I understand it is that as long as the server was compiled with tcp wrappers, it should follow the rules in hosts.allow. Sendmail is different from other network apps in that it does not block the connection when a deny rule is in effect, instead it send some kind of reject code (5xx) during the SMTP conversation. If you check /var/log/maillog you may well see this happening. If you search the mail archives (or try google) with some appropriate keywords then you should find a post from Matthew Seaman which explains it in detail You could also search the source code, if you are somewhat C literate. If you want to completely block connections from specific hosts (or only allow specific hosts) then I would suggest doing that with firewall rules. Didn't follow the start of the thread very closely so I hope I got the right end of the stick. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On 5/22/07, Rob [EMAIL PROTECTED] wrote: Doug Hardie wrote: On May 22, 2007, at 10:46, Maxim Khitrov wrote: # Deny sendmail to all clients (temporary) sendmail : all : deny tcp wrappers must be coded into the application. The call which actually checks the access permissions in the hosts.allow file is hosts_access() (see man hosts_access). Checking through the sendmail I have to disagree with that. I run unmodified 8.13.8 on 6.2, and it DOES respect hosts.allow. Just not in the way you might assume. I can telnet to port 25, it allows connections from *anywhere*, and will respond to a HELO. It's not until I give it a mail to: that it protests with 550 5.0.0 Access denied. I use FEATURE(delay_checks) in the cf file, which may have some effect on this. The log file shows: May 22 14:56:47 cartman sm-mta[74026]: l4MIullh074026: tcpwrappers (unknown, 192.31.130.140) rejection The actual options version look like: $ sendmail -bp -d0.1 Version 8.13.8 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG $ uname -rms FreeBSD 6.2-RELEASE i386 -RW You know, I could have sworn that I checked actually sending the message through telnet yesterday with the deny rule in place. You're right through, it fails right after I give it mail from command. Guess I didn't keep good track of what I was checking each time. Do you know if there is a reason they chose to do it this way? Accept the connection, but don't allow the client to do anything with it? I didn't find FEATURE(delay_checks) in any of my cf files, so I think it's something else. Well at any rate, thanks for your help. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On May 22, 2007, at 1:21 PM, Maxim Khitrov wrote: Do you know if there is a reason they chose to do it this way? Accept the connection, but don't allow the client to do anything with it? There is some advantage to getting enough info from attempted spam to produce useful logging messages, even if you want your mail system to eventually return a 5xx permanent failure. Some people also find that accepting and tying up spammer connections can help reduce the rate that spam gets pumped out, although for that to be really effective, it helps to have a teergrube (German for tarpit) in your MX list which is specially designed to very slowly accept traffic from potential spammers without tying down a lot of your own bandwidth. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On Tue, 22 May 2007 11:37:24 -0400 Maxim Khitrov [EMAIL PROTECTED] wrote: On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I suspect sendmail is reading /etc/hosts.allow Why would anyone expect that? /etc/hosts.allow is one of the control files for the TCP wrapper program, tcpd. (See man tcpd.) # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. #ALL : ALL : allow Did you comment out the above line? Steve Here's the entire file as it is right now: # Deny sendmail to all clients (temporary) sendmail : all : deny # Allow anything from localhost all : local ip : allow # Process SSH deny rules sshd : /etc/hosts.evil : deny # Allow everything else all : all : allow Once I can get sendmail to block all connection requests, I'll move it below the second rule. That way, only local processes will be able to use it. For now, however, that rule is being ignored completely. Okay. First off, as noted above, /etc/hosts.{allow,deny} are not sendmail(8) control files. They are tcpd(8) control files. Secondly, tcpd is normally interposed between inetd(8), which has essentially no built-in means of deciding whether to accept or reject TCP connections based upon the source address of the connection request. Instead of listing a particular program in /etc/inetd.conf as the program to run to service an incoming connection on a particular port, one lists the tcpd program and provides *it* the path of the desired service program. tcpd then looks at /etc/hosts.{allow,deny} to determine whether to close the connection or to pass it along to the service program. Third, it is possible to run sendmail in non-daemon mode. If one does not wish to tie up kernel resources to keep a sendmail process in the system all the time, for example, one can list sendmail in /etc/inetd.conf for the SMTP port (25), so that an inbound connection will result in inetd(8) forking off a sendmail process to handle it. (See man sendmail, and try /usr/sbin/sendmail -bm IIRC.) It is in this setup *only* that the /etc/hosts.{allow,deny} files should have any effect whatsoever upon whether incoming connections are handled by sendmail. N.B. even in this case, it is tcpd reading those files and making the decisions, *not* sendmail. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Sendmail ignores hosts.allow
Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. - Maxim Khitrov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added sendmail : all : deny as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. From my previous thread, sendmail is used only to accept messages sent by processes running on the server, and send them to real e-mails specified in /etc/aliases. That part works. However, even though sendmail_enable is set to NO in rc.conf, sendmail still listens on port 25, accepts mail from remote hosts, and the hosts.allow rule doesn't seem to apply. Strange, isn't it? By the way, I just tried removing sendmail_enable line from rc.conf completely and that had no effect. All I do for testing is basically start/restart sendmail, then telnet to the server from my workstation at home. I get a standard reply, and can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. Relaying doesn't work, but sending to and all other aliases works fine (which in this case is bad). Think this might be some bug when sendmail is running in a jail? I haven't modified anything beyond what's mentioned in this e-mail, and I've checked all the settings. I can definitely connect to the server from remote hosts despite the rc.conf and hosts.allow configuration. - Maxim Khitrov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On Mon, 21 May 2007, Maxim Khitrov wrote: On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added sendmail : all : deny as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. sendmail_enable=NO means there is no sendmail daemon running. You can verify this via ps -aux | grep sendmail. Remove that statement. Without a reboot you can start sendmail by cd /etc/mail; make start. Unless you have changed the freebsd.mc file and done a 'make install' I do not believe sendmail will accept from any connections except except on 127.0.0.1 (localhost). This is what you want I think. If that's it as others have said, there is no reason to use the hosts.allow mechanism. This is independent of the jail environment. sockstat|grep sendmail and you can see whats going on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On 5/21/07, doug [EMAIL PROTECTED] wrote: sendmail_enable=NO means there is no sendmail daemon running. You can verify this via ps -aux | grep sendmail. Remove that statement. Without a reboot you can start sendmail by cd /etc/mail; make start. Unless you have changed the freebsd.mc file and done a 'make install' I do not believe sendmail will accept from any connections except except on 127.0.0.1 (localhost). This is what you want I think. If that's it as others have said, there is no reason to use the hosts.allow mechanism. This is independent of the jail environment. sockstat|grep sendmail and you can see whats going on. Not the case for me, having sendmail_enable=NO and not having it in rc.conf results in the same behavior. Here's sendmail rcvar output: Without sendmail_enable in rc.conf: # sendmail $sendmail_enable=NO # sendmail_submit $sendmail_submit_enable=YES # sendmail_clientmqueue $sendmail_msp_queue_enable=YES With sendmail_enable=NO: # sendmail $sendmail_enable=NO # sendmail_submit $sendmail_submit_enable=YES # sendmail_clientmqueue $sendmail_msp_queue_enable=YES With sendmail_enable=NONE: # sendmail $sendmail_enable=NO # sendmail_clientmqueue $sendmail_msp_queue_enable=NO So the first two are identical (I don't see why they wouldn't be). As for the sendmail daemon, here's what grep tells me after the server is started: [EMAIL PROTECTED] [/]# ps -aux | grep sendmail smmsp 16473 0.0 0.1 3384 2276 ?? IsJ 4:47PM 0:00.00 sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue (sendmail root 20951 0.0 0.1 3484 2480 ?? SsJ 5:37PM 0:00.00 sendmail: accepting connections (sendmail) root 21303 0.0 0.0 1592 912 pn S+J 5:37PM 0:00.00 grep sendmail And here's sockstat output: [EMAIL PROTECTED] [/]# sockstat -l4 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 20951 4 tcp4 ip:25 *:* root syslogd45182 6 udp4 ip:514 *:* root sshd 60371 3 tcp4 ip:22 *:* As you can see, sendmail is happily listening for all incoming connections with the NO setting. If it would only listen on localhost, then that would be the end of my problems. However, remember that the jail environment doesn't have localhost. In other words 127.0.0.1 does not refer to the jail. Loopback for me is the server's wan ip (hey that rhymes :), which is why I think that not having 127.0.0.1 may be confusing to sendmail. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
Maxim Khitrov wrote: On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added sendmail : all : deny as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. From my previous thread, sendmail is used only to accept messages sent by processes running on the server, and send them to real e-mails specified in /etc/aliases. That part works. However, even though sendmail_enable is set to NO in rc.conf, sendmail still listens on port 25, accepts mail from remote hosts, and the hosts.allow rule doesn't seem to apply. Strange, isn't it? By the way, I just tried removing sendmail_enable line from rc.conf completely and that had no effect. All I do for testing is basically start/restart sendmail, then telnet to the server from my workstation at home. I get a standard reply, and can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. Relaying doesn't work, but sending to and all other aliases works fine (which in this case is bad). Think this might be some bug when sendmail is running in a jail? I haven't modified anything beyond what's mentioned in this e-mail, and I've checked all the settings. I can definitely connect to the server from remote hosts despite the rc.conf and hosts.allow configuration. This is a different story now. On your host machine (as in jails' host), sendmail binds to localhost and never responds to outside world. This is expected. However, sendmail in a jail, binds to jail's IP address and that is why you can talk to it from outside. Run this on your host: # sockstat -4l | grep sendmail The output should look like this: root sendmail 1624 4 tcp4 1.2.3.5:25*:* root sendmail 1624 4 tcp4 1.2.3.4:25*:* root sendmail 1624 4 tcp4 1.2.3.3:25*:* root sendmail 1624 4 tcp4 1.2.3.2:25*:* root sendmail 1208 3 tcp4 127.0.0.1:25 *:* The first four are jails. The last one is host's sendmail being disabled. I'd suggest using a firewall to protect your jails instead of trying to completely disable sendmails. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
doug wrote: On Mon, 21 May 2007, Maxim Khitrov wrote: On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added sendmail : all : deny as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. sendmail_enable=NO means there is no sendmail daemon running. You can verify this via ps -aux | grep sendmail. Remove that statement. Without a reboot you can start sendmail by cd /etc/mail; make start. sendmail_enable=NO tells sendmail to bind to localhost only (hence it becomes unreachable from the outside): # sockstat -4l | grep sendmail root sendmail 42310 4 tcp4 127.0.0.1:25 *:* sendmail_enable=YES starts/adds the submit capability: # sockstat -4l | grep sendmail root sendmail 42262 4 tcp4 *:25 *:* root sendmail 42262 5 tcp4 *:587 *:* In both cases, executing ps -aux shows sendmail daemon is running. The first knob is the default as per /etc/defaults/rc.conf Unless you have changed the freebsd.mc file and done a 'make install' I do not believe sendmail will accept from any connections except except on 127.0.0.1 (localhost). This is what you want I think. If that's it as others have said, there is no reason to use the hosts.allow mechanism. This is independent of the jail environment. sockstat|grep sendmail and you can see whats going on. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
Maxim Khitrov wrote: On 5/21/07, doug [EMAIL PROTECTED] wrote: sendmail_enable=NO means there is no sendmail daemon running. You can verify this via ps -aux | grep sendmail. Remove that statement. Without a reboot you can start sendmail by cd /etc/mail; make start. Unless you have changed the freebsd.mc file and done a 'make install' I do not believe sendmail will accept from any connections except except on 127.0.0.1 (localhost). This is what you want I think. If that's it as others have said, there is no reason to use the hosts.allow mechanism. This is independent of the jail environment. sockstat|grep sendmail and you can see whats going on. Not the case for me, having sendmail_enable=NO and not having it in rc.conf results in the same behavior. Here's sendmail rcvar output: Same behaviour because sendmail_enable=NO is already present in /etc/defaults/rc.conf so putting in /etc/rc.conf or removing it from there is the same thing. Without sendmail_enable in rc.conf: # sendmail $sendmail_enable=NO # sendmail_submit $sendmail_submit_enable=YES # sendmail_clientmqueue $sendmail_msp_queue_enable=YES With sendmail_enable=NO: # sendmail $sendmail_enable=NO # sendmail_submit $sendmail_submit_enable=YES # sendmail_clientmqueue $sendmail_msp_queue_enable=YES With sendmail_enable=NONE: # sendmail $sendmail_enable=NO # sendmail_clientmqueue $sendmail_msp_queue_enable=NO So the first two are identical (I don't see why they wouldn't be). As for the sendmail daemon, here's what grep tells me after the server is started: [EMAIL PROTECTED] [/]# ps -aux | grep sendmail smmsp 16473 0.0 0.1 3384 2276 ?? IsJ 4:47PM 0:00.00 sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue (sendmail root 20951 0.0 0.1 3484 2480 ?? SsJ 5:37PM 0:00.00 sendmail: accepting connections (sendmail) root 21303 0.0 0.0 1592 912 pn S+J 5:37PM 0:00.00 grep sendmail And here's sockstat output: [EMAIL PROTECTED] [/]# sockstat -l4 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 20951 4 tcp4 ip:25 *:* root syslogd45182 6 udp4 ip:514 *:* root sshd 60371 3 tcp4 ip:22 *:* As you can see, sendmail is happily listening for all incoming connections with the NO setting. If it would only listen on localhost, then that would be the end of my problems. However, remember that the jail environment doesn't have localhost. In other words 127.0.0.1 does not refer to the jail. Loopback for me is the server's wan ip (hey that rhymes :), which is why I think that not having 127.0.0.1 may be confusing to sendmail. There you go. You just answered yourself. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added sendmail : all : deny as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. From my previous thread, sendmail is used only to accept messages sent by processes running on the server, and send them to real e-mails specified in /etc/aliases. That part works. However, even though sendmail_enable is set to NO in rc.conf, sendmail still listens on port 25, accepts mail from remote hosts, and the hosts.allow rule doesn't seem to apply. Strange, isn't it? By the way, I just tried removing sendmail_enable line from rc.conf completely and that had no effect. All I do for testing is basically start/restart sendmail, then telnet to the server from my workstation at home. I get a standard reply, and can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. Relaying doesn't work, but sending to and all other aliases works fine (which in this case is bad). Think this might be some bug when sendmail is running in a jail? I haven't modified anything beyond what's mentioned in this e-mail, and I've checked all the settings. I can definitely connect to the server from remote hosts despite the rc.conf and hosts.allow configuration. This is a different story now. On your host machine (as in jails' host), sendmail binds to localhost and never responds to outside world. This is expected. However, sendmail in a jail, binds to jail's IP address and that is why you can talk to it from outside. Run this on your host: # sockstat -4l | grep sendmail The output should look like this: root sendmail 1624 4 tcp4 1.2.3.5:25*:* root sendmail 1624 4 tcp4 1.2.3.4:25*:* root sendmail 1624 4 tcp4 1.2.3.3:25*:* root sendmail 1624 4 tcp4 1.2.3.2:25*:* root sendmail 1208 3 tcp4 127.0.0.1:25 *:* The first four are jails. The last one is host's sendmail being disabled. I'd suggest using a firewall to protect your jails instead of trying to completely disable sendmails. I cna't run that on my host, because I only have access to the jail (I'm paying for a vps server with another host). That makes sense however, I had a feeling that it was jail-related. But what about the hosts.allow problem? I can run a firewall, of course, but hosts.allow seems like a more efficient way of doing the same thing. I've already got it configured and working with sshd, so I see no reason why sendmail doesn't want to work the same way. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail ignores hosts.allow
Maxim Khitrov wrote: On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote: Maxim Khitrov wrote: Hello, I'm trying to restrict access to sendmail via hosts.allow. Don't need a firewall, since I just want to block everyone but the localhost from sending e-mail out. Anyway, it seems that sendmail ignores these settings even though it was compiled with TCPWRAPPERS. I added sendmail : all : deny as the very first line in hosts.allow, just to see if it will let me connect from anywhere. It does - not just from localhost, but from all remote locations as well. I have no problems connecting and sending e-mail. Am I missing something? I followed your earlier thread (hopefully this is a related topic). This is strange. By default, sendmail is disabled. You don't even have to put anything into rc.conf: # grep sendmail /etc/defaults/rc.conf Sendmail listens and accepts local mail only. You can't connect to it from another machine: # telnet some.host.tld 25 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host You must've tweaked something to make it behave differently. I tested the same setup with sshd, and that works properly. After a quick search on google it seems that I'm not the only one with this problem, but I couldn't find any solution to this. Any help is greatly appreciated. Share with us your testing methodology. From previous thread, I understand that you just want something to submit your local mail (from daemons, scripts, etc). Then as others already said, a simple alias in /etc/mail/aliases and executing newaliases is sufficient. Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf (same as not having it there I guess), I've modified /etc/mail/aliases to forward everything sent to root to my gmail account, and I added sendmail : all : deny as the first line to /etc/hosts.allow while I'm testing everything. Once I make sure that the deny rule works, I'll allow access to sendmail only from localhost. This is all on FreeBSD 6.2, but it's running in a jail, so that might have some effect. From my previous thread, sendmail is used only to accept messages sent by processes running on the server, and send them to real e-mails specified in /etc/aliases. That part works. However, even though sendmail_enable is set to NO in rc.conf, sendmail still listens on port 25, accepts mail from remote hosts, and the hosts.allow rule doesn't seem to apply. Strange, isn't it? By the way, I just tried removing sendmail_enable line from rc.conf completely and that had no effect. All I do for testing is basically start/restart sendmail, then telnet to the server from my workstation at home. I get a standard reply, and can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on. Relaying doesn't work, but sending to and all other aliases works fine (which in this case is bad). Think this might be some bug when sendmail is running in a jail? I haven't modified anything beyond what's mentioned in this e-mail, and I've checked all the settings. I can definitely connect to the server from remote hosts despite the rc.conf and hosts.allow configuration. This is a different story now. On your host machine (as in jails' host), sendmail binds to localhost and never responds to outside world. This is expected. However, sendmail in a jail, binds to jail's IP address and that is why you can talk to it from outside. Run this on your host: # sockstat -4l | grep sendmail The output should look like this: root sendmail 1624 4 tcp4 1.2.3.5:25*:* root sendmail 1624 4 tcp4 1.2.3.4:25*:* root sendmail 1624 4 tcp4 1.2.3.3:25*:* root sendmail 1624 4 tcp4 1.2.3.2:25*:* root sendmail 1208 3 tcp4 127.0.0.1:25 *:* The first four are jails. The last one is host's sendmail being disabled. I'd suggest using a firewall to protect your jails instead of trying to completely disable sendmails. I cna't run that on my host, because I only have access to the jail (I'm paying for a vps server with another host). That makes sense however, I had a feeling that it was jail-related. But what about the hosts.allow problem? I can run a firewall, of course, but hosts.allow seems like a more efficient way of doing the same thing. I've already got it configured and working with sshd, so I see no reason why sendmail doesn't want to work the same way. Oh... right. Can't tell you much about hosts.allow, especially in jails, but I reckon someone else will. Good luck! Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list
Re: sendmail ignores hosts.allow
Can anyone confirm this behavior on their machine? Doing an ldd /usr/libexec/sendmail/sendmail shows: /usr/libexec/sendmail/sendmail: libutil.so.3 = /usr/lib/libutil.so.3 (0x280fd000) libwrap.so.3 = /usr/lib/libwrap.so.3 (0x28106000) libssl.so.3 = /usr/lib/libssl.so.3 (0x2810e000) libcrypto.so.3 = /usr/lib/libcrypto.so.3 (0x2813e000) libc.so.4 = /usr/lib/libc.so.4 (0x2823e000) so it's clearly linked with libwrap. What's going on here?? According to Rich Winkel: According to Ruben de Groot: On Sun, Aug 29, 2004 at 11:53:55PM -0500, Rich Winkel typed: I'm running 4.10-release-p2. Sendmail is ignoring hosts.allow. Is this a known problem? AFAIK, no. Could you post your hosts.allow? Are you using sendmail from the base system? Hi, sorry I was burnt out from lack of sleep and beating my head against the wall :) I'm using the base system sendmail. I just put (as an example): sendmail : 127.0.0.1 : deny as the first line of /etc/hosts.allow, kill and restart sendmail (just in case) and do a telnet localhost 25 and it still connects: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 crusty.math.missouri.edu ESMTP Sendmail 8.12.11/8.12.11; Mon, 30 Aug 2004 09:35:29 -0500 (CDT) quit 221 2.0.0 crusty.math.missouri.edu closing connection Do I need anything special in sendmail.cf? I don't think I used to ... Can anyone confirm this on their system? Thanks!!! Rich ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sendmail ignores hosts.allow
I'm running 4.10-release-p2. Sendmail is ignoring hosts.allow. Is this a known problem? Thanks, Rich ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]